Main menu

New and Improved Onion Services Will Premiere at Def Con 25

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While the majority of people use Tor to reach ordinary websites more safely, Tor can also be used to access websites and services that live inside the Tor network. We call those onion services (formerly: hidden services).

Since onion services are part of the Tor network, the services and the people connecting to them get more security and privacy; their traffic doesn't even leave the network. Onion services are relied on for metadata-free chat and file sharing, safer interaction between journalists and their sources like with SecureDrop, safer software updates, and more secure ways to reach popular websites like Facebook.

Preview the New Onion Services at Def Con

This Friday at Def Con, our Co-Founder and President Roger Dingledine will present our new and improved onion service design and let people try it out.

The code is in review, and the improved services are scheduled to be released in about a month. As of now, the stable version is expected in December. Check back here or on Twitter to hear about the release and try out the new onion services.

> The detention of a group of human rights defenders in Turkey for daring to learn about digital security and encryption continued last week with a brief appearance of the accused in an Istanbul court. Six were returned to jail, and four released on bail. In an additionally absurd twist, the four released activists were named in new detention orders on Friday, and are now being re-arrested.

I appeal to everyone to support Tor Project financially and in any other way they can. And I appeal to US citizens to express support for encryption generally to their political representatives. Remember: Turkey is a US ally, and the current US head of state has expressed support for Ergodan's increasingly authoritarian policies (Turkey is currently in an apparently unending "State of Emergency"; human rights orgs should be plan now for the possibility that the US might follow suit, perhaps in the wake of an unprecedented natural disaster or nuclear weapons accident or cyberevent blamed on another nation.)

A particularly important point about onion services is that they can be "re-purposed" to provide better authentication of web-sites to web-users, and thus enhance cybersecurity for all. In particular, it is widely agreed that PKI (to enable customers to "know" they are logging into the website of their bank, not giving up their passphrase to a phishing site) is completely and rather hopelessly broken. No fix was thought possible--- until TP pointed out that onion sites appear to provide at least a partial solution which is available right now.

(Not a TP employee, just a Tor user, so if I got anything wrong, I trust someone from TP will clarify.)

I trust RD will mention the collaboration of Tor Project with Debian Project, and offer some discussion of the issue of how to advise Debian users who are updating packages via the onion mirrors can set up a reasonably simple and Debian-tor and TBB friendly "personal" firewall, i.e. one preventing unwanted outbound communications while not stepping on the toes of their Tor clients (probably at least two, one for Debian Tor and one for TBB while browsing).

Further, I wonder whether it might be technically feasible to push some of the less unfriendly major media organizations to

Presumably these companies would still want their users to sign in through Tor tunnels, which would require a drastic rethink of the whole CloudFlare model. (Ultimately I want users to be able to register and pay anonymously companies like NYT, but just now that might be bridge too far.)

It would be necessary that companies participating in the trial would agree to run enough fast Tor nodes to make sure the network can cope with the increased load (even a trial program involving Slate would probably result in a noticeable increase in load). And it would be essential of course to try to make sure that this innovation doesn't impact anonymity for web-users who need to browse anonymously (the web generally, or the news site if not behind a paywall)--- I do not see how that might happen, but TP should try to make sure unwanted problems are not likely to result from a large number of new Tor users who are seeking cybersecurity rather than anonymity.

Further, I suspect that on-line banking, POS communications, etc, would all be safer if tunneled via Tor, provided of course that industry can be persuaded to try it and to themselves run enough fast Tor nodes to carry the (potentially) enormously increased load.

Because it is not yet known how current Tor would scale to carry all the world's web traffic (which should be the ultimate goal), all this should initially be smallish (for the media companies) proof of concept.

I cannot claim to have thought this through, just offering up a "Be Bold!" vision in which all the world's web traffic would ideally be carried by Tor network, for cybersecurity purposes, while also offering strong anonymity for those who need it.

DANE, https, Calomel add-on (not implemented/obsolete), OCSP(???) verify/add the authenticity of the site by comparing/showing the certificate : nothing to do with tor, firefox, chrome, opera.

- Tor provides onions but without https i should not use it.
- Tor is not on DANE afaik ( but is it recommended ?).
- Onion requires javascript or cookies (comment/login e.g.) so it is not more or less safe but just more hidden running inside a tor tunnel : it is just a technical trick.
- Javascript is not secure & cookie is a tracker/backdoor risk.
- it is strange that calomel be not on tor browser : incompatibility ?

The more users the more safe you are & running relays or make donations are still the better way to be involved without too much risk.

That they update their code or their config (i hope they have understood that a new language is need ! ) is an important step but even the freedom of speech is becoming obsolete following a government policy of racketing and the rise of arrogant rogue-state & corrupted groups ; that is especially true in E.U.

I thing the future of Tor is depending on the users & their interactions between each other.

Now, there is some reason to think that currently messing with PKI in the manner illustrated by the Comodo and DigiNotar hijackings is sufficiently difficult that some governments may attempt this (particularly when targeting a foreigner) only in the case of a few "high value targets", such as prominent journalists writing about government corruption or human rights groups investigating extralegal executions. Such highly targeted hijacking using fraudulent or stolen certifcates may be very hard to detect.

So how can onion services help? By making it difficult for even sophisticated attackers to deploy targeted attacks of this kind. By forcing (we hope) the bad guys to either attack everyone--- which would be detected, we hope---- or to abandon this kind of very dangerous attack as too risky to themselves.

(Not a TP employee, just another user, so I defer to their expertise if I said anything wrong.)

i cannot access at mobile/tor [on Twitter] : why do you let an unavailable link ?
btw if you want censure (you do) the dialogue why do you not remove the reply tag ?
how much do you [where can i find the salaries of the tor team ?] earn by year ?

If you are complaining that you cannot access Twitter using (?) Tor Browser, you should provide more information about exactly what you are doing and what is the result.

Such problems may arise not from Tor Project miscoding, but from something Tor-unfriendly which Twitter (or one of their contractors) is doing.

> btw if you want censure (you do) the dialogue why do you not remove the reply tag ?

If you are complaining that Tor Project "wants" to censor comments, you should probably clarify whether you are complaining about moderators removing

o obvious spam such as links to dodgy on-line pharmaceutical sites,

o comments which bear too many similarities to past (state-sponsored?) attempts to troll this blog,

o potentially controversial but arguably legitimate comments.

I believe that I sometimes encounter the last, which is unfortunate, but I've been around long enough to have some idea of how much crap would happen here if moderators did not attempt to prevent some really atrocious comments from appearing.

> how much do you [where can i find the salaries of the tor team ?] earn by year ?

You want to know the salaries of individual Tor employees? Or just to obtain some sense of how they compare to "industry standards"? Because you want to apply for job at TP?

As a privacy advocate, I find it cause for concern when, as sometimes happens, commentators seem to assume that privacy is, or should be, dead. Which IMO is an attitude contrary to the core principles of the Tor Project.

# ok : that is a correct answer but it is not a response at my question :
# e.g : someone posts & the reply is locked _ so it is censured ... because someone does not appreciate a point of view that do not serve his_her own interest.

You ... TP?

# the more you earn the more you have significant results so trust = untrue
# the less you earn the less you work so deviance = untrue
# money is not anymore a scale of the value/competence/quality/job so how do you evaluate and for what job(s)_even unknown(s)_ the salary of an employee_boss ?

As a privacy advocate, I find it cause for concern when, as sometimes happens, commentators seem to assume that privacy is, or should be, dead. Which IMO is an attitude contrary to the core principles of the Tor Project.

# Privacy is living from the level of integrity of a democracy/republic/monarchy ... it is a genuine part of the human being in a group or a small community. In all cases, it is depending on how much your 'partner_s' is civilized & how deep & structured is your mind ; but the world is changing every day & these assertions are moving to a new conception : privacy is useless if you cannot afford one. Tor provides an individual way to not let privacy as unique state sponsored model in the hands of an universal freedom force.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code
of Conduct will be deleted. Off-topic comments may be deleted at the discretion
of the post moderator. Please do not comment as a way to receive support or
report bugs on a post unrelated to a release. If you are looking for support,
please see our ​support portal or
ways to get in touch with us.